Last Updated on January 21, 2022 at 8:46 pm
It goes without saying that the protection of online privacy and financial transactions are of utmost importance. This article discusses how we can protect our privacy with strong passwords and how to manage these passwords safely.
About the author: Rajavel is a Computer science Graduate from NIT Trichy. He currently works as a software engineer in a premier Investment bank. He is an avid reader of Freefincal. This time he wanted to give back to the Freefincal community by sharing his knowledge on this subject.
Contents
- Encryption & Hashing
- What happens when you sign up/sign in to a website?
- Unique passwords
- Strong Passwords
- Password managers
Disclaimer: I’m not associated with any of the websites/links/password managers mentioned in this article.
Encryption & Hashing
These are two basic concepts that you must understand first, before understanding how passwords work.
Join over 32,000 readers and get free money management solutions delivered to your inbox! Subscribe to get posts via email! 🔥Enjoy massive discounts on our robo-advisory tool & courses! 🔥
Encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext using a key (which is a secret text).
Let us try with an example using AES-128 bit encryption (which uses a 16 character key, each char is 8 bits, so 16*8 = 128), let us try to encode the message “How are you?” using our secret key “ramaramaramarama”, the resulting ciphertext will look like this “ZGYP4/sparcNYA9WBoF0zA==”.
- You can use this link to play around encrypting and decrypting using AES.
- How much time does it take to decrypt without knowing the key?
- Nobody wants to spend this much to decrypt your message.
Basically, the ciphertext can only be decrypted only if we have the key used for encrypting.
Hashing is transforming a string of characters into a fixed-length value or key that represents the original string.
The md5 hash of message “Where are you?” is eccd993f47dec88b14a0c982b6948358
- Try to make the md5 hash for some common word.
- Now try to find if you can reverse the hash using this tool. Many precomputed hashes for common words/text are available on the internet.
- Why hashes cannot be reversed? Hashing is one way only.
So you cannot use hashing to STORE something secret, you cannot retrieve the original message after you hash it. Also, can two sets of data have the same hash values? Yes, but near impossible due to the length of the hash that the modern hashing algorithms produce.
What happens when you sign up/sign in to a website?
When you sign up on a website, a hashing function is used to create a hash of the password you entered, stored on their server – the password itself is discarded. When you log in using your password, the password is sent over the network and hashed on the server using a copy of the same hashing function. The resulting hash is compared to the hash stored on the password server. Only if they match will the user be granted access.
Why are passwords stored as hashes? Because if the website gets hacked someday, only the hashes of passwords will be revealed and not the actual passwords. When data breaches happen these days, the usernames and the corresponding password hashes are sold on the dark web. A lot of precomputed hashes are available on the internet. Basically, for simple passwords like password123, the hashes are well known, so when the hackers see that well-known hash, they can find that your password is password123. But if the website uses salting on passwords before hashing, it becomes trickier to crack your password. More on hashing, how hashes are cracked, salts in hash
But on spooky random websites, where we created logins for the sake of reading articles, playing games etc., we never know how they handle our passwords, they might store our passwords as plain text in their servers. Even if they properly store our passwords hashed, they can still see our password when we signup. Because they ultimately need your password to hash it and store it. In some cases, the password you enter is hashed in your browser and then sent to their servers, but you never know, what changes when we can’t check the source code of every site we use every time. So never believe websites with your passwords.
Okay now let’s assume some random website where you have a login, is compromised, and the hacker managed to find your password. Now it’s easy for him to log in to other websites using the same password or the common variants of it. If your Facebook password was ramaFB123 and was compromised, then ramaTW123 might be a good guess for your Twitter account. There are computer programs that do all this, at speeds of 1 Billion passwords per second. So such variations you create on passwords are not going to protect you. Watch some interesting live-action password cracking here.
Now let’s discuss how websites store our data. We often think all our data is encrypted in the servers behind Google Drive/Gmail/Facebook etc. Yes, all data is encrypted, BUT not with YOUR password as the key, the respective website owns the encryption key. If they had encrypted all your data with your key, even they would not be read your data. Yes, you are right, Google can read your emails.
“So where is my password used then?” Your password is only used to check your login in most cases. After verification, they generally give you some unique browser cookie which will hereafter be used to authenticate you. If all of Google Drive data were compromised one day, nobody would need YOUR password to decrypt YOUR files you stored in Google Drive. But these are privacy issues, which we will not cover in this article.
Unique passwords
What did we understand until now? If your password gets leaked out of some random website, then you are probably in danger.
The only solution is to have different passwords for every website we use. We all have signed in to 100s of websites, and it’s simply not possible to remember 100s of passwords. Before moving on to how we can handle 100 different passwords, let us discuss strong passwords.
Strong Passwords
Is Rama123@ a strong password? Try this to find out. It’s not strong, spend some time experimenting on the above website, with various passwords you can think of. If you play with such tools for some time, you will figure out that passwords with more length take more time to crack. Also at greater lengths like 15 characters, it does not matter much if you use Upper case, numbers, and symbols or not. So it’s the length that matters the most in passwords, the longer it is, the safer you are.
So let’s settle with long passwords, but it’s tough to remember 15 random characters. So we bring in the passphrase concept. A passphrase looks like this: “clever pants oxygen sharpener”. Its 29 characters long, so it’s solid but straightforward to remember. Let us try to understand how.
Let’s try to find how many different PASSWORDS you can make with 29 characters.
Total available characters = 26(lower) + 26(upper) + 10(numbers) + 30(symbols) = 92
Password length = 29
Total No of passwords possible: 92^29 = 890,936,995,405,850,020,916,615,802,384,990,844,247,276,366,492,831,055,872
Wow! It is impossible to brute-force with this big search space (try all possible combinations) for the hacker.
So they would try brute-forcing passphrases (basically now they will try to combine words instead of individual characters), it’s not easy as well.
Let’s try to find how many different combinations you can make with English words for a 4 worded passphrase (like “clever pants oxygen sharpener”)
No of English words available (a simple google search) = 1,71,146
No of Words in our passphrase = 4
Total No of passphrases possible: 1,71,146 ^ 4 = 857,959,946,160,091,395,856.
This is a big enough search space for our password. How much time will it take to crack this? At the rate of 1 Billion password cracking per second. It will take 27,205 years. Still, want a tougher passphrase? Just add one more word, (clever pants oxygen sharpener nuclear). This 5 worded passphrase will take 46 MILLION CENTURIES to crack. You should be happy now!
So a 29 character 4 worded passphrase is almost equally secure as a 29 character random password. Also make sure not to use frequent words, which would make the search space smaller. You can also try some online passphrase generator.
If you introduce numbers, symbols, non-English words in the passphrase, the search space becomes much bigger, which might not be needed. It also adds tension, remembering complex passwords. Don’t bring in combinations like kj7b)*4H anywhere, you will make the search space bigger (which might not be needed), but you might soon forget the password.
So good passphrases are easy to type, easy to remember, easy to write in some secure location, and hard to crack.
Password managers
In the section ‘unique passwords’ we saw that it’s best to have unique passwords for every site we use. After learning about strong passwords we might want to use passphrases for all logins, but still, we cannot remember 100 passphrases.
Password managers come to the rescue, for this article let us assume to use Bitwarden, a famous open-source password manager.
Bitwarden will store all the passwords/passphrases you use for all websites in its vault. The vault will have a master password, which is the only one you will remember, preferable a strong passphrase. Before we even move on, stop me and ask me:
“It’s like putting all eggs in one basket, if my master password gets compromised, then all my passwords are compromised. Why would I do this?”
- It’s not possible to remember 100 different passwords.
- Even if we use a single ultra-strong password (or variants of the same password) for all the websites, there is a vulnerability that some weak website might get hacked and hackers get your password exposed. Or some spooky website you logged in might leak your password. Also, some creepy websites might still store your password in plaintext in their servers.
“Ok, why Bitwarden can’t be hacked or leak our passwords someday?”
Because it’s not possible for Bitwarden, they do not have our master password stored. All our data is encrypted, and only we have the key (which is our master password). So even Bitwarden cannot open and read our vault. After we login, the encrypted vault is sent to us, and decrypting the vault happens in the client-side (our computer). Also, our master password is never sent directly to the servers. Watch this video to understand how the authentication takes place in password managers.
“How are you so sure that they cannot do fishy stuff?” Bitwarden is open source, meaning anybody can see their source code. They are also frequently audited by third party agencies. Why should I trust Bitwarden?
“How do they make money then?” They have premium features paid, like family/enterprise options, vault to store files etc. Bitwarden blog answers most of such common questions.
Now let’s add more complexity, in an extreme case, a hacker might guess your master password or install a key logger in your PC (through some malware) and finds your master password. Ok, now we are doomed.
But there is a solution to protect our self from this: using 2-factor authentication for Bitwarden. You can configure applications like google authenticator or Authy (Google authenticator vs Authy) with your Bitwarden account to enable 2-factor authentication. The authenticator app will generate a 6 digit number which changes every 60 seconds. Every time you log in to Bitwarden, you will have to enter the 6 digit authentication code. Even if the hacker knows your master password, he cannot find the authentication codes as they keep changing every minute. I’m not discussing more on 2-factor authentication in detail here, as it’s a vast topic by itself.
Other major features of Bitwarden for example are, they can suggest you random strong passwords when you sign up for websites, they have browser plugins to autofill passwords when you sign in to websites, they also have a mobile app, you can also store other information like identity, credit cards or even secure notes.
Conclusion
- Always use a password manager to store all your passwords.
- Have a strong master password like “clever pants oxygen sharpener.”
- Enable 2-factor authentication in password manager for more security.
Further reading
- Bitwarden vs Google Password Manager
- Many general discussions about passwords
- Join the Bitwarden community on Reddit. You can see a lot of discussions on concepts related to passwords in general, and you can also post your questions there
🔥Enjoy massive discounts on our courses, robo-advisory tool and exclusive investor circle! 🔥& join our community of 5000+ users!
Use our Robo-advisory Tool for a start-to-finish financial plan! ⇐ More than 1,000 investors and advisors use this!
New Tool! => Track your mutual funds and stock investments with this Google Sheet!
We also publish monthly equity mutual funds, debt and hybrid mutual funds, index funds and ETF screeners and momentum, low-volatility stock screeners.
- Do you have a comment about the above article? Reach out to us on Twitter: @freefincal or @pattufreefincal
- Have a question? Subscribe to our newsletter using the form below.
- Hit 'reply' to any email from us! We do not offer personalized investment advice. We can write a detailed article without mentioning your name if you have a generic question.
Join over 32,000 readers and get free money management solutions delivered to your inbox! Subscribe to get posts via email!
About The Author
Dr M. Pattabiraman(PhD) is the founder, managing editor and primary author of freefincal. He is an associate professor at the Indian Institute of Technology, Madras. He has over ten years of experience publishing news analysis, research and financial product development. Connect with him via Twitter(X), Linkedin, or YouTube. Pattabiraman has co-authored three print books: (1) You can be rich too with goal-based investing (CNBC TV18) for DIY investors. (2) Gamechanger for young earners. (3) Chinchu Gets a Superpower! for kids. He has also written seven other free e-books on various money management topics. He is a patron and co-founder of “Fee-only India,” an organisation promoting unbiased, commission-free investment advice.Our flagship course! Learn to manage your portfolio like a pro to achieve your goals regardless of market conditions! ⇐ More than 3,000 investors and advisors are part of our exclusive community! Get clarity on how to plan for your goals and achieve the necessary corpus no matter the market condition is!! Watch the first lecture for free! One-time payment! No recurring fees! Life-long access to videos! Reduce fear, uncertainty and doubt while investing! Learn how to plan for your goals before and after retirement with confidence.
Our new course! Increase your income by getting people to pay for your skills! ⇐ More than 700 salaried employees, entrepreneurs and financial advisors are part of our exclusive community! Learn how to get people to pay for your skills! Whether you are a professional or small business owner who wants more clients via online visibility or a salaried person wanting a side income or passive income, we will show you how to achieve this by showcasing your skills and building a community that trusts and pays you! (watch 1st lecture for free). One-time payment! No recurring fees! Life-long access to videos!
Our new book for kids: “Chinchu Gets a Superpower!” is now available!
Must-read book even for adults! This is something that every parent should teach their kids right from their young age. The importance of money management and decision making based on their wants and needs. Very nicely written in simple terms. - Arun.Buy the book: Chinchu gets a superpower for your child!
How to profit from content writing: Our new ebook is for those interested in getting side income via content writing. It is available at a 50% discount for Rs. 500 only!
Do you want to check if the market is overvalued or undervalued? Use our market valuation tool (it will work with any index!), or get the Tactical Buy/Sell timing tool!
We publish monthly mutual fund screeners and momentum, low-volatility stock screeners.
About freefincal & its content policy. Freefincal is a News Media Organization dedicated to providing original analysis, reports, reviews and insights on mutual funds, stocks, investing, retirement and personal finance developments. We do so without conflict of interest and bias. Follow us on Google News. Freefincal serves more than three million readers a year (5 million page views) with articles based only on factual information and detailed analysis by its authors. All statements made will be verified with credible and knowledgeable sources before publication. Freefincal does not publish paid articles, promotions, PR, satire or opinions without data. All opinions will be inferences backed by verifiable, reproducible evidence/data. Contact information: letters {at} freefincal {dot} com (sponsored posts or paid collaborations will not be entertained)
Connect with us on social media
- Twitter @freefincal
- Subscribe to our YouTube Videos
- Posts feed via Feedburner.
Our publications
You Can Be Rich Too with Goal-Based Investing
Published by CNBC TV18, this book is meant to help you ask the right questions and seek the correct answers, and since it comes with nine online calculators, you can also create custom solutions for your lifestyle! Get it now.Gamechanger: Forget Startups, Join Corporate & Still Live the Rich Life You Want
This book is meant for young earners to get their basics right from day one! It will also help you travel to exotic places at a low cost! Get it or gift it to a young earner.Your Ultimate Guide to Travel
This is an in-depth dive into vacation planning, finding cheap flights, budget accommodation, what to do when travelling, and how travelling slowly is better financially and psychologically, with links to the web pages and hand-holding at every step. Get the pdf for Rs 300 (instant download)